The IRS Just Weighed In on AI

What OPR's first written AI guidance means for your practice, and what to do Monday morning

By the team at The AI Lab for Accountants

For about two years, every conversation we've had with accountants about AI hits the same wall: "But the IRS hasn't actually said anything specific about this, has it?" It was a fair point. The §7216 rules predate the technology, the most recent guidance on the subject predates it too, and a lot of the careful work our community has done has been inference, reading the existing rules and applying them honestly to a tool the rules never anticipated.

As of June 24, 2026, that wall is gone. The IRS Office of Professional Responsibility issued Alert 2026-19, "Introductory Guidelines for Responsible AI Use in Federal Tax Practice." It is the first time the IRS has put its name, in writing, on how Circular 230 applies when you use AI in tax practice.

Here is the good news, and it is genuinely good news: almost nothing about it should surprise you, and nothing in it should scare you off AI. If you've been using AI with controls, OPR just confirmed you're on the right path. If you've been using it without them, this is your notice to fix that before it becomes a disciplinary file.

Let's walk you through what it says, what's new, what it pointedly doesn't resolve, and what to actually do about it.

First, what this is (and what it isn't)

OPR is the office that enforces Circular 230. It is the office that can suspend or disbar a practitioner. So when OPR publishes an alert, it isn't a regulation and it isn't a revenue ruling, but it carries real weight: it tells you what OPR is watching for, and what a future disciplinary case is likely to look like.

What it is not is a new rulebook. OPR is explicit that AI doesn't change your duties. In their words, "ethical obligations of competence, diligence, and confidentiality remain unchanged." The whole document is existing Circular 230 duties, read through an AI lens. That's the through-line, and it's the reassuring part: AI is not a new category of risk. It's your existing duties, applied to a new kind of tool.

The six duties OPR mapped to AI

OPR ran through six provisions. Here they are in plain English, with the takeaway for each.

• §10.22, Due diligence. You must review everything AI produces before it goes to a client or the IRS, verifying facts, citations, and calculations. You cannot rely solely on the machine.
• §10.35, Competence. You have to actually understand the tool: how it generates content, where it's prone to bias and error, and whether its output is fit for the matter. Not knowing how your AI works is itself a competence problem.
• §10.36, Firm procedures. If you oversee a practice, you must have procedures for AI: staff training on the risks, internal protocols for secure data handling and accuracy monitoring, and vetting of third-party AI tools, all documented. This is the WISP-and-policy work, and OPR just made it explicit for AI.
• §10.37, Written advice. Advice has to rest on reasonable assumptions and real authorities. You can't lean on AI projections or citations without checking them. If the tool's logic is opaque, relying on it may itself be unreasonable.
• §10.27(a), Fees. More on this one below, because it's the surprise.
• §10.51(a)(15), Disreputable conduct. Willful unauthorized use or disclosure of taxpayer return information, including a violation of the Internal Revenue Code, is independently sanctionable. This is the bridge that turns a §7216 slip into an OPR matter.

And tying it all together, OPR cites IRC §6713 and §7216(a) directly, with a footnote that quotes the definition of tax return information verbatim from Treas. Reg. §301.7216-1(b)(3), the exact text our community has been working from. OPR is treating AI-related §7216 exposure as a live enforcement concern, not a theoretical one.

If you want the full decision tree for how §7216 actually applies to AI, that's the §7216 Decision Framework. OPR 2026-19 lines up with it.

What's genuinely new: the billing rule

Most of the alert confirms what we already knew. One part will catch people off guard, and it's worth its own spotlight.

OPR put fees (§10.27) on the table. The line that matters:

"billing clients for manual labor or time that was not actually spent or double billing for AI-assisted tasks may violate § 10.27"

Read that again. If AI lets you do in ten minutes what used to take three hours, and you bill three hours anyway, OPR is telling you that can be an unconscionable-fee problem, especially if it shows up as a pattern across clients or in the size of the billing differences. Their fix: pass the savings through. Disclose, in general or specific terms, the AI activities you performed, and fairly credit the client for the cost reduction.

We'll be honest: this is the part of the alert most firms haven't thought about at all. Everyone's focused on confidentiality. Nobody budgeted for the idea that AI efficiency might come with a billing-transparency obligation. It does now.

The line OPR drew on tools

There's one sentence in the alert that does more work than its length suggests:

"Practitioners must strictly handle all client data using only secure, enterprise-approved AI."

OPR doesn't define "enterprise-approved," and we'll come back to that gap. But the direction is unmistakable. This is the closest the IRS has come to drawing a line between consumer-grade AI (the free ChatGPT tab, a personal Claude account) and enterprise or business-tier tools with real data terms. Paired with their plain instruction to "never upload sensitive data to unsecured sites," the message to the profession is clear: free consumer tools are not the place for client return information.

This is exactly the "anonymize, or use a firm-approved tool under the right agreement" posture we've been teaching. OPR just said it in their own words.

A warning shot worth taking seriously

OPR didn't only cite rules. They told a story, and they chose it deliberately. They point to Deloitte Australia, which in July 2025 delivered a 230-plus-page report to the Australian government that turned out to contain AI-generated invented quotes, references to reports that don't exist, and a book attributed to the wrong author. Deloitte reportedly refunded part of its fee.

OPR's reason for including it is pointed: hallucination sanctions aren't just a lawyer problem anymore. Courts have been sanctioning attorneys for fake AI citations for a while, but OPR is signaling that the same exposure is reaching tax and accounting professionals. The lesson is the one we keep coming back to: treat AI output as a draft, and check every citation before it leaves your desk.

What OPR did NOT resolve (don't overread this)

Here's where we want to be straight with you, because the value of this community is that we don't oversell. This alert is important, but it is an introductory guideline, and it leaves the hardest questions open. Do not assume these are settled:

• Whether a local, self-hosted model counts as a "disclosure" under §7216. Not addressed. The plain-text argument that it isn't still holds, but it still has no IRS blessing.
• Whether you need §7216 consent before uploading to a cloud AI tool. Not resolved. "Use secure, enterprise-approved AI" is a data-security instruction, not a consent rule. The consent mechanics are untouched.
• What "enterprise-approved" actually means. No definition, no bright-line test.
• How Rev. Proc. 2013-14 consent forms apply to AI. Not mentioned.
• Offshore subprocessor access and the special SSN rule. Not addressed.

So the alert closes one argument cleanly, "the IRS hasn't said anything about AI", and that argument is over. But it does not hand you a green light to skip consent analysis or to assume your cloud tool is fine because it's labeled "enterprise." The careful path is still the careful path.

What to do Monday morning

You don't need a project plan. You need a handful of concrete moves, most of which you can knock out this week:

1. Write down your AI policy. Even one page. Which tools are approved, for what, and what's off-limits. §10.36 now expects this to exist. Having no policy is itself the exposure.
2. Get off consumer tiers for anything client-related. If real client data touches AI, it goes through a firm-approved, secure tool with the right data terms. Free tabs are for anonymized or non-client work only.
3. Vet your AI vendors, in writing. No training on your data, defined retention, U.S. processing, a signed agreement, and a spot in your WISP. The one-page categorization-tool check walks the vendor questions if you're vetting a bookkeeping AI.
4. Make "verify the citation" a hard step. Nothing AI cites goes into a return, memo, or client answer until you've confirmed it against primary source. Treat unverified as wrong.
5. Look at your billing. Where AI is saving real time, decide how you're disclosing it and crediting it. Get ahead of §10.27 before a client, or OPR, raises it.
6. Train your people. A short session on the risks and your rules. OPR named staff training specifically.

If you want the whole framework behind these moves, start with the Guardrails. They haven't changed. OPR just gave them the IRS's signature.

The bottom line

For two years the open question was whether the IRS would ever speak to AI. It has. And what it said wasn't a crackdown on the technology, it was a reminder that the rules you already follow follow you into the tool. Competence, diligence, confidentiality, honest billing, human judgment as the final word. None of it new.

That's the headline we'd want you to take away: the practitioners who built controls were right, and OPR just proved it. The ones who've been pasting client data into a free chatbot and billing like nothing changed, this is the moment to stop. The good news is that getting compliant isn't hard, and you already know how. It's what we do.

← Back to the Safe-Use Planner

This is an educational summary of OPR Alert 2026-19 for AI Lab members, not legal advice. Verify against the primary guidance and your own state board before relying on any point for a specific situation. The licensed professional is the reviewer of record.